option to disable runtime code evaluation

apache · Sep 9, 2016 · d6abc18 · d6abc18
1 parent 33a7141
commit d6abc18
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 1 deletion.
diff --git a/rebar.config.script b/rebar.config.script
@@ -29,7 +29,7 @@ DepDescs = [
 {b64url,           "b64url",           "6895652d80f95cdf04efb14625abed868998f174"},
 {couch_log,        "couch-log",        "ad803f66dbd1900b67543259142875a6d03503ce"},
 {chttpd,           "chttpd",           "c6b044006fcb58386099105fb6d9e0a036a62ed9"},
-{couch,            "couch",            "72869b8bf139ffc2542d02a2bd3b862042a668c3"},
+{couch,            "couch",            "092dec86bbf068e0ab99f6586668260515fc86a9"},
 {couch_index,      "couch-index",      "53555fd909d5dd3d4a610c3fd6795950a8f7d022"},
 {couch_mrview,     "couch-mrview",     "a0b0392afe66ece9ef3bb4fdd5a4f159c97c47eb"},
 {couch_replicator, "couch-replicator", "b9232c8d410d529d65030896e075c4b4327631b0"},

diff --git a/test/javascript/tests/view_sandboxing.js b/test/javascript/tests/view_sandboxing.js
@@ -145,6 +145,47 @@ couchTests.view_sandboxing = function(debug) {
   }
 */
 
+  // test that runtime code evaluation can be prevented
+  console.log('TODO: config port not available on cluster');
+  /*var couchjs_command_xhr = CouchDB.request(
+    "GET", "/_config/query_servers/javascript");
+
+  var couchjs_command = JSON.parse(couchjs_command_xhr.responseText);
+  var couchjs_command_args = couchjs_command.match(/\S+|"(?:\\"|[^"])+"/g);
+
+  couchjs_command_args.splice(1, 0, "--no-eval");
+  var new_couchjs_command = couchjs_command_args.join(" ");
+
+  run_on_modified_server(
+    [{section: "query_servers",
+      key: "javascript",
+      value: new_couchjs_command}],
+    function () {
+      var ddoc = {
+        _id: "_design/foobar",
+        language: "javascript",
+        views: {
+          view: {
+            map:
+            (function(doc) {
+              var glob = emit.constructor('return this')();
+              emit(doc._id, null);
+            }).toString()
+          }
+        }
+      };
+
+      db.deleteDb();
+      db.createDb();
+      T(db.save(ddoc).ok);
+
+      T(db.save(doc).ok);
+      var results = db.view(
+        "foobar/view", {bypass_cache: Math.round(Math.random() * 1000)});
+
+      TEquals(0, results.rows.length);
+    });*/
+
   // cleanup
   db.deleteDb();
 };